[OAUTH-WG] Reusing refresh tokens and additional parameters when granting authorization
Hi, I am currently implementing OAuth v2, and I have a couple questions: - when a client requests an access token, with grant type "password" for example, can the authorization server resend the same refresh token from the last time the same client/resource owner combination requested an access token ? That would prevent the auth database from being flooded with refresh tokens (which do not expire automatically) from badly behaving client, reusing the "password" grant type repeatedly. Or did I overlook some security considerations? - More about obtaining an access token: is it possible to send additional (and optional) parameters along when the client requests an access token ? The draft states "the authorization server SHOULD ignore unrecognized request parameters.", so I am thinking "yes". Am I correct ? Thanks! Cheers, Eric Cestari ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] Reusing refresh tokens and additional parameters when granting authorization
Thorsten, Justin, Thank you for your answers, I know the spec would not address some of the points I raised, but I was pretty sure you had some best pratices in mind. Le 3 mai 2011 à 14:48, Lodderstedt, Torsten a écrit : >> - More about obtaining an access token: is it possible to send additional >> >(and optional) parameters along when the client requests an access token ? >> >The draft states "the authorization server SHOULD ignore unrecognized >> >request parameters.", so I am thinking "yes". Am I correct ? > > Doesn't section 8.2 answer this question? Indeed, massive overlook from my part, thank you! Eric ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
